[backport core/1.39] fix: prevent XSS vulnerability in context menu labels#8924
Merged
pythongosssss merged 1 commit intocore/1.39from Feb 17, 2026
Merged
[backport core/1.39] fix: prevent XSS vulnerability in context menu labels#8924pythongosssss merged 1 commit intocore/1.39from
pythongosssss merged 1 commit intocore/1.39from
Conversation
Replace innerHTML with textContent when setting context menu item labels to prevent XSS attacks via malicious filenames. This fixes a security vulnerability where filenames like "<img src=x onerror=alert()>" could execute arbitrary JavaScript when displayed in dropdowns. https://claude.ai/code/session_01LALt1HEgGvpWD7hhqcp2Gu ## Summary <!-- One sentence describing what changed and why. --> ## Changes - **What**: <!-- Core functionality added/modified --> - **Breaking**: <!-- Any breaking changes (if none, remove this line) --> - **Dependencies**: <!-- New dependencies (if none, remove this line) --> ## Review Focus <!-- Critical design decisions or edge cases that need attention --> <!-- If this PR fixes an issue, uncomment and update the line below --> <!-- Fixes #ISSUE_NUMBER --> ## Screenshots (if applicable) <!-- Add screenshots or video recording to help explain your changes --> ┆Issue is synchronized with this [Notion page](https://www.notion.so/PR-8887-fix-prevent-XSS-vulnerability-in-context-menu-labels-3086d73d365081ccbe3cdb35cd7e5cb1) by [Unito](https://www.unito.io) --------- Co-authored-by: Claude <noreply@anthropic.com> Co-authored-by: github-actions <github-actions@github.com>
dosubot
bot
added
the
size:M
Contributor
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
🎨 Storybook Build Status✅ Build completed successfully! ⏰ Completed at: 02/16/2026, 11:32:59 PM UTC 🔗 Links🎉 Your Storybook is ready for review! |
|
Playwright: ✅ 523 passed, 0 failed · 2 flaky 📊 Browser Reports
|
pythongosssss
approved these changes
Feb 17, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Backport of #8887 to
core/1.39Automatically created by backport workflow.
┆Issue is synchronized with this Notion page by Unito